Home > BPDUGuard & BPDUFilter

BPDUGuard & BPDUFilter

November 20th, 2019 Go to comments

Quick review about BPDUGuard & BPDUFilter:

BPDU Guard feature allows STP to shut an access port in the event of receiving a BPDU and put that port into err-disabled state. BPDU Guard is configured under an interface via this command:

Switch(config-if)#spanning-tree bpduguard enable

Or configured globally via this command (BPDU Guard is enabled on all PortFast interfaces):

Switch(config)#spanning-tree portfast edge bpduguard default

BPDUFilter is designed to suppress the sending and receiving of BPDUs on an interface. There are two ways of configuring BPDUFilter: under global configuration mode or under interface mode but they have subtle difference.

If BPDUFilter is configured globally via this command:

Switch(config)#spanning-tree portfast bpdufilter default

BPDUFilter will be enabled on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

If BPDUFilter is configured under interface mode like this:

Switch(config-if)#spanning-tree bpdufilter enable

It will suppress the sending and receiving of BPDUs. This is the same as disabling spanning tree on the interface. This choice is risky and should only be used when you are sure that port only connects to host devices.

Question 1

Question 2

Question 3

Explanation

There are two ways to re-enable a BPDU guard port in disabled state. The first way is issue the “shut” and “no shut” command on that port. The second way is to use the command “errdisable recovery cause bpduguard” command.

Question 4

Explanation

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

The first and second underlined sentences are very contradictory. The first one says it prevents an interface from receiving BPDUs while the second one says when it receives BPDUs, BPDU filtering is disabled!

The fact is this command will prevent an interface from sending BPDUs only. But if it receives BPDUs, it will lose its Port Fast feature and return to a normal switching port (with STP enabled).

Note: There is another important thing we want to mention here: there are two ways to configure BPDU filtering feature, one in global configuration mode and one under a specific interface:

Configuring BPDU filter globally:
Switch(config)#spanning-tree portfast bpdufilter default
 
Configure BPDU Filter on the interface:
Switch(config-if)#spanning-tree bpdufilter enable (this overrides the global bpdufilter command above)

But the effect of these two commands are different and you should remember:
+ When BPDU filtering is enabled globally; and if BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, the port returns to normal state
+ When BPDU filtering is enabled on a specific port, it prevents this port from sending or receiving BPDUs (so if BPDUs are seen, they will be dropped)

Question 5

Explanation

BPDUFilter is designed to suppress the sending and receiving of BPDUs on an interface. There are two ways of configuring BPDUFilter: under global configuration mode or under interface mode but they have subtle difference.

If BPDUFilter is configured globally via this command:

Switch(config)#spanning-tree portfast bpdufilter default

BPDUFilter will be enabled on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

If BPDUFilter is configured under interface mode like this:

Switch(config-if)#spanning-tree bpdufilter enable

It will suppress the sending and receiving of BPDUs. This is the same as disabling spanning tree on the interface. This choice is risky and should only be used when you are sure that port only connects to host devices.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

Question 6

Explanation

The “spanning-tree portfast bpdufilter default” command is configured under global configuration mode. To stop receiving unwanted BPDUs (for easier troubleshooting), he can issue the “spanning-tree portfast bpdufilter default” under global configuration mode. This will enable BPDUFilter on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

Question 7

Question 8

Explanation

BPDU Guard feature allows STP to shut an access port in the event of receiving a BPDU.

Root Guard ensures that the port on which root guard is enabled is the designated port. If the bridge receives superior BPDUs on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state (which is equal to STP listening state). No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

Loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs.

When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop.

The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening/learning/forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.

So all three features above do not support STP to transition between states. How about BPDU Filter?

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

The first and second underlined sentences are very contradictory. The first one says it prevents an interface from receiving BPDUs while the second one says when it receives BPDUs, BPDU filtering is disabled!

The fact is this command will prevent an interface from sending BPDUs only. But if it receives BPDUs, it will lose its Port Fast feature and return to a normal switching port (with STP enabled).

There are two ways to configure BPDU filtering feature, one in global configuration mode and one under a specific interface:

Configuring BPDU filter globally:
Switch(config)#spanning-tree portfast bpdufilter default

Configure BPDU Filter on the interface:
Switch(config-if)#spanning-tree bpdufilter enable (this overrides the global bpdufilter command above)

But the effect of these two commands are different and you should remember:
+ When BPDU filtering is enabled globally; and if BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, the port returns to normal state
+ When BPDU filtering is enabled on a specific port, it prevents this port from sending or receiving BPDUs (so if BPDUs are seen, they will be dropped)

Therefore in this question we can only think about the BPDU Filter under global configuration mode. In this mode the port can transit between STP states.

Question 9

Explanation

BPDU Guard feature allows STP to shut an access port in the event of receiving a BPDU.

Comments
  1. Kelvincenka
    January 17th, 2020

    anyone who have taken the exams lately ? I am planning to do mine on Monday.

  2. ugee
    January 18th, 2020

    Q4
    Question 4

    What is the effect of configuring the following command on a switch?
    Switch(config)# spanning-tree portfast bpdufilter default
    A. If BPDUs are received by a port configured for PortFast, then PortFast is disabled and the BPDUs are processed normally.
    B. If BPDUs are received by a port configured for PortFast, they are ignored and none are sent.
    C. If BPDUs are received by a port configured for PortFast, the port will transition to forwarding state.
    D. The command will enable BPDU filtering on all ports regardless of whether they are configured for BPDU filtering at the interface level.

    B should be the answer
    Globally only ports that have portfast are affected when BPDUs are set globally, if no portfast it is sent normally

  3. FB
    January 27th, 2020

    Q8 – Answer is D

    From Cisco Press Implementing Cisco IP Switched Networks 300-115

    “Loop Guard Overview”
    The STP Loop Guard feature provides additional protection against Layer 2 loops. A Layer 2 loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state.
    This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the nondesignated port receives BPDUs.

  4. JC
    January 29th, 2020

    Q8 is D

    “When enabled, Loop Guard keeps track of the BPDU activity on nondesignated ports. While BPDUs are received, the port is allowed to behave normally. When BPDUs go missing, Loop Guard moves the port into the loop-inconsistent state. The port is effectively blocking at this point to prevent a loop from forming and to keep it in the nondesignated role.
    When BPDUs are received on the port again, Loop Guard allows the port to move through the normal STP states and become active. “

  5. suntzu
    February 22nd, 2020

    Q4 A is definitely the answer

    “If a BPDU is received, portfast state is revoked and filter is disabled, BPDUs are processed normally, STP starts normally”

  1. No trackbacks yet.